android System Server 分析

SystemServer是Android JAVA 层的系统服务模块，这个模块主要功能就是管理供Android 应用开发的system service.

1.SystemServer 类是如何启动的

    让我们从Android 的启动过程看起，查看init.rc 文件，就会发现下面这一行

service zygote /system/bin/app_process -Xzygote /system/bin --zygote –start-system-server

我们知道zygote 进程是整个Android 的孵化器进程，所有的Activity 进程均是通过它来生成的。我们发现在zygote 进程启动过程中指定了这么一个参数“–start-system-server” ，这个参数就是在zygote 进程启动的同时启动SystemServer 。

    那么SystemServer 是以什么样的形式启动的呢？是单独的一个进程还是线程，分析一下zygote 进程的启动过程就明白了。在Android 中zygote 进程启动其实就是启动/system/bin/app_process这个进程，这个进程的源代码在frameworks/base/cmds/app_process/app_main.cpp中。

 

[c-sharp] view plaincopyprint?

1. if (0 == strcmp("--zygote", arg)) {  
2.             bool startSystemServer = (i < argc) ?  
3.                     strcmp(argv[i], "--start-system-server") == 0 : false;  
4.             setArgv0(argv0, "zygote");  
5.             set_process_name("zygote");  
6.             runtime.start("com.android.internal.os.ZygoteInit",  
7.                 startSystemServer);  
8.         } else {  
9.             set_process_name(argv0);  
10.             runtime.mClassName = arg;  
11.             // Remainder of args get passed to startup class main()  
12.             runtime.mArgC = argc-i;  
13.             runtime.mArgV = argv+i;  
14.             LOGV("App process is starting with pid=%d, class=%s./n",  
15.                  getpid(), runtime.getClassName());  
16.             runtime.start();  
17.         }     

if (0 == strcmp("--zygote", arg)) { bool startSystemServer = (i < argc) ? strcmp(argv[i], "--start-system-server") == 0 : false; setArgv0(argv0, "zygote"); set_process_name("zygote"); runtime.start("com.android.internal.os.ZygoteInit", startSystemServer); } else { set_process_name(argv0); runtime.mClassName = arg; // Remainder of args get passed to startup class main() runtime.mArgC = argc-i; runtime.mArgV = argv+i; LOGV("App process is starting with pid=%d, class=%s./n", getpid(), runtime.getClassName()); runtime.start(); }

    由于zygote 进程启动过程有“--zygote” 这个参数，所以走的是下面这步

        runtime.start("com.android.internal.os.ZygoteInit",startSystemServer);

    查看对象runtime 的类型的定义，

          class AppRuntime : public AndroidRuntime

    因此查看AndroidRuntime 的start 方法中的一段代码(frameworks/base/core/jni/AndroidRuntime.cpp)

[c-sharp] view plaincopyprint?

1. startClass = env->FindClass(slashClassName);  
2.     if (startClass == NULL) {  
3.         LOGE("JavaVM unable to locate class '%s'/n", slashClassName);  
4.         /* keep going */  
5.     } else {  
6.         startMeth = env->GetStaticMethodID(startClass, "main",  
7.             "([Ljava/lang/String;)V");  
8.         if (startMeth == NULL) {  
9.             LOGE("JavaVM unable to find main() in '%s'/n", className);  
10.             /* keep going */  
11.         } else {  
12.             env->CallStaticVoidMethod(startClass, startMeth, strArray); 
13. #if 0   
14.             if (env->ExceptionCheck())  
15.                 threadExitUncaughtException(env);  
16. #endif   
17.         }  
18.     }  

startClass = env->FindClass(slashClassName); if (startClass == NULL) { LOGE("JavaVM unable to locate class '%s'/n", slashClassName); /* keep going */ } else { startMeth = env->GetStaticMethodID(startClass, "main", "([Ljava/lang/String;)V"); if (startMeth == NULL) { LOGE("JavaVM unable to find main() in '%s'/n", className); /* keep going */ } else { env->CallStaticVoidMethod(startClass, startMeth, strArray); #if 0 if (env->ExceptionCheck()) threadExitUncaughtException(env); #endif } }

    其中startClass 即为"com.android.internal.os.ZygoteInit"，这段代码调用了com.android.internal.os.ZygoteInit的main 函数。

    那么再往下看ZygoteInit 类的main 函数，其中的一段MethodAndArgsCaller代码为

[c-sharp] view plaincopyprint?

1. if (argv[1].equals("true")) {  
2.     startSystemServer();  
3. } else if (!argv[1].equals("false")) {  
4.     throw new RuntimeException(argv[0] + USAGE_STRING);  
5. }  

if (argv[1].equals("true")) { startSystemServer(); } else if (!argv[1].equals("false")) { throw new RuntimeException(argv[0] + USAGE_STRING); }

调用了startSystemServer()，这个函数启动了一个子进程来作为SystemServer的载体，

1.它首先指定SystemServer进程的参数;

2.根据指定的参数来创建SystemServer进程；

3.调用handleSystemServerProcess启动第一步指定进程参数过程中指定的类，此时为“com.android.server.SystemServer”，启动的这个进程在ps查看后显示为”system_server”。

 

[c-sharp] view plaincopyprint?

1. private static boolean startSystemServer()  
2.             throws MethodAndArgsCaller, RuntimeException {  
3.         /* Hardcoded command line to start the system server */  
4.         String args[];  
5.         String ashmem_size = System.getProperty("gralloc.ashmem_size");  
6.         if ((null != ashmem_size) && (0 != ashmem_size.length())) {  
7.           args = new String[] {  
8.             "--setuid=1000",  
9.             "--setgid=1000",  
10.             "--setgroups=1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,3001,3002,3003",  
11.             "--capabilities=130104352,130104352",  
12.             "--rlimit=8,",  
13.             "--runtime-init",  
14.             "--nice-name=system_server",  
15.             "com.android.server.SystemServer",  
16.           };  
17.           args[4] = args[4].concat(ashmem_size);  
18.           args[4] = args[4].concat(",");  
19.           args[4] = args[4].concat(ashmem_size);  
20.         } else {  
21.           args = new String[] {  
22.             "--setuid=1000",  
23.             "--setgid=1000",  
24.             "--setgroups=1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,3001,3002,3003",  
25.             "--capabilities=130104352,130104352",  
26.             "--runtime-init",  
27.             "--nice-name=system_server",  
28.             "com.android.server.SystemServer",  
29.           };  
30.         }  
31.         ZygoteConnection.Arguments parsedArgs = null;  
32.         int pid;  
33.         try {  
34.             parsedArgs = new ZygoteConnection.Arguments(args);  
35.             /* 
36.              * Enable debugging of the system process if *either* the command line flags 
37.              * indicate it should be debuggable or the ro.debuggable system property 
38.              * is set to "1" 
39.              */  
40.             int debugFlags = parsedArgs.debugFlags;  
41.             if ("1".equals(SystemProperties.get("ro.debuggable")))  
42.                 debugFlags |= Zygote.DEBUG_ENABLE_DEBUGGER;  
43.             int[][] rlimits = new int[0][0];  
44.             if (parsedArgs.rlimits != null) {  
45.               rlimits = parsedArgs.rlimits.toArray(rlimits);  
46.             }  
47.             /* Request to fork the system server process */  
48.             pid = Zygote.forkSystemServer(  
49.                     parsedArgs.uid, parsedArgs.gid,  
50.                     parsedArgs.gids, debugFlags, rlimits,  
51.                     parsedArgs.permittedCapabilities,  
52.                     parsedArgs.effectiveCapabilities);  
53.         } catch (IllegalArgumentException ex) {  
54.             throw new RuntimeException(ex);  
55.         }  
56.         /* For child process */  
57.         if (pid == 0) {  
58.             handleSystemServerProcess(parsedArgs);  
59.         }  
60.         return true;  
61.     }  

private static boolean startSystemServer() throws MethodAndArgsCaller, RuntimeException { /* Hardcoded command line to start the system server */ String args[]; String ashmem_size = System.getProperty("gralloc.ashmem_size"); if ((null != ashmem_size) && (0 != ashmem_size.length())) { args = new String[] { "--setuid=1000", "--setgid=1000", "--setgroups=1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,3001,3002,3003", "--capabilities=130104352,130104352", "--rlimit=8,", "--runtime-init", "--nice-name=system_server", "com.android.server.SystemServer", }; args[4] = args[4].concat(ashmem_size); args[4] = args[4].concat(","); args[4] = args[4].concat(ashmem_size); } else { args = new String[] { "--setuid=1000", "--setgid=1000", "--setgroups=1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,3001,3002,3003", "--capabilities=130104352,130104352", "--runtime-init", "--nice-name=system_server", "com.android.server.SystemServer", }; } ZygoteConnection.Arguments parsedArgs = null; int pid; try { parsedArgs = new ZygoteConnection.Arguments(args); /* * Enable debugging of the system process if *either* the command line flags * indicate it should be debuggable or the ro.debuggable system property * is set to "1" */ int debugFlags = parsedArgs.debugFlags; if ("1".equals(SystemProperties.get("ro.debuggable"))) debugFlags |= Zygote.DEBUG_ENABLE_DEBUGGER; int[][] rlimits = new int[0][0]; if (parsedArgs.rlimits != null) { rlimits = parsedArgs.rlimits.toArray(rlimits); } /* Request to fork the system server process */ pid = Zygote.forkSystemServer( parsedArgs.uid, parsedArgs.gid, parsedArgs.gids, debugFlags, rlimits, parsedArgs.permittedCapabilities, parsedArgs.effectiveCapabilities); } catch (IllegalArgumentException ex) { throw new RuntimeException(ex); } /* For child process */ if (pid == 0) { handleSystemServerProcess(parsedArgs); } return true; }

     通过以上过程就会调用到SystemServer 类，且是运行在一个名为“ system_server” 的进程中，这个进程为 zygote 的子进程。

     虽然 SystemServer 类是运行在 system_server 中的，但是它并不运行在 system_server 的主线程中。

     上代码

[c-sharp] view plaincopyprint?

1. private static void handleSystemServerProcess(  
2.             ZygoteConnection.Arguments parsedArgs)  
3.             throws ZygoteInit.MethodAndArgsCaller {  
4.         closeServerSocket();  
5.         /* 
6.          * Pass the remaining arguments to SystemServer. 
7.          * "--nice-name=system_server com.android.server.SystemServer" 
8.          */  
9.         RuntimeInit.zygoteInit(parsedArgs.remainingArgs);ZygoteInit  
10.         /* should never reach here */  
11.     }  
12.     public static final void zygo用teInit(String[] argv)  
13.             throws ZygoteInit.MethodAndArgsCaller {  
14.         // TODO: Doing this here works, but it seems kind of arbitrary. Find  
15.         // a better place. The goal is to set it up for applications, but not  
16.         // tools like am.   
17.         System.setOut(new AndroidPrintStream(Log.INFO, "System.out"));  
18.         System.setErr(new AndroidPrintStream(Log.WARN, "System.err"));  
19.         commonInit();  
20.         zygoteInitNative();  
21.         int curArg = 0;  
22.         for ( /* curArg */ ; curArg < argv.length; curArg++) {  
23.             String arg = argv[curArg];  
24.             if (arg.equals("--")) {  
25.                 curArg++;  
26.                 break;  
27.             } else if (!arg.startsWith("--")) {  
28.                 break;  
29.             } else if (arg.startsWith("--nice-name=")) {  
30.                 String niceName = arg.substring(arg.indexOf('=') + 1);  
31.                 Process.setArgV0(niceName);  
32.             }  
33.         }  
34.         if (curArg == argv.length) {  
35.             Slog.e(TAG, "Missing classname argument to RuntimeInit!");  
36.             // let the process exit   
37.             return;  
38.         }  
39.         // Remaining arguments are passed to the start class's static main  
40.         String startClass = argv[curArg++];  
41.         String[] startArgs = new String[argv.length - curArg];  
42.         System.arraycopy(argv, curArg, startArgs, 0, startArgs.length);  
43.         invokeStaticMain(startClass, startArgs);  
44.     }  
45.    private static void invokeStaticMain(String className, String[] argv)  
46.             throws ZygoteInit.MethodAndArgsCaller {  
47. 用  
48.         // We want to be fairly aggressive about heap utilization, to avoid  
49.         // holding on to a lot of memory that isn't needed.  
50.         VMRuntime.getRuntime().setTargetHeapUtilization(0.75f);  
51.         Class<?> cl;  
52.         try {  
53.             cl = Class.forName(className);  
54.         } catch (ClassNotFoundException ex) {  
55.             throw new RuntimeException(  
56.                     "Missing class when invoking static main " + className,  
57.                     ex);  
58.         }  
59.         Method m;  
60.         try {  
61.             m = cl.getMethod("main", new Class[] { String[].class });  
62.         } catch (NoSuchMethodException ex) {  
63.             throw new RuntimeException(  
64.                     "Missing static main on " + className, ex);  
65.         } catch (SecurityException ex) {  
66.             throw new RuntimeException(  
67.                     "Problem getting static main on " + className, ex);  
68.         }  
69.         int modifiers = m.getModifiers();用  
70.         if (! (Modifier.isStatic(modif用iers) && Modifier.isPublic(modifiers))) {  
71.             throw new RuntimeException(  
72.                     "Main method is not用 public and static on " + className);  
73.         }  
74.         /* 
75.          * This throw gets caught in ZygoteInit.main(), which responds 
76.          * by invoking the exception's run() method. This arrangement 
77.          * clears up all the stack frames that were required in setting 
78.          * up the process. 
79.          */  
80.         throw new ZygoteInit.MethodAndArgsCaller(m, argv);  
81.     }  

private static void handleSystemServerProcess( ZygoteConnection.Arguments parsedArgs) throws ZygoteInit.MethodAndArgsCaller { closeServerSocket(); /* * Pass the remaining arguments to SystemServer. * "--nice-name=system_server com.android.server.SystemServer" */ RuntimeInit.zygoteInit(parsedArgs.remainingArgs);ZygoteInit /* should never reach here */ } public static final void zygo用teInit(String[] argv) throws ZygoteInit.MethodAndArgsCaller { // TODO: Doing this here works, but it seems kind of arbitrary. Find // a better place. The goal is to set it up for applications, but not // tools like am. System.setOut(new AndroidPrintStream(Log.INFO, "System.out")); System.setErr(new AndroidPrintStream(Log.WARN, "System.err")); commonInit(); zygoteInitNative(); int curArg = 0; for ( /* curArg */ ; curArg < argv.length; curArg++) { String arg = argv[curArg]; if (arg.equals("--")) { curArg++; break; } else if (!arg.startsWith("--")) { break; } else if (arg.startsWith("--nice-name=")) { String niceName = arg.substring(arg.indexOf('=') + 1); Process.setArgV0(niceName); } } if (curArg == argv.length) { Slog.e(TAG, "Missing classname argument to RuntimeInit!"); // let the process exit return; } // Remaining arguments are passed to the start class's static main String startClass = argv[curArg++]; String[] startArgs = new String[argv.length - curArg]; System.arraycopy(argv, curArg, startArgs, 0, startArgs.length); invokeStaticMain(startClass, startArgs); } private static void invokeStaticMain(String className, String[] argv) throws ZygoteInit.MethodAndArgsCaller { 用 // We want to be fairly aggressive about heap utilization, to avoid // holding on to a lot of memory that isn't needed. VMRuntime.getRuntime().setTargetHeapUtilization(0.75f); Class<?> cl; try { cl = Class.forName(className); } catch (ClassNotFoundException ex) { throw new RuntimeException( "Missing class when invoking static main " + className, ex); } Method m; try { m = cl.getMethod("main", new Class[] { String[].class }); } catch (NoSuchMethodException ex) { throw new RuntimeException( "Missing static main on " + className, ex); } catch (SecurityException ex) { throw new RuntimeException( "Problem getting static main on " + className, ex); } int modifiers = m.getModifiers();用 if (! (Modifier.isStatic(modif用iers) && Modifier.isPublic(modifiers))) { throw new RuntimeException( "Main method is not用 public and static on " + className); } /* * This throw gets caught in ZygoteInit.main(), which responds * by invoking the exception's run() method. This arrangement * clears up all the stack frames that were required in setting * up the process. */ throw new ZygoteInit.MethodAndArgsCaller(m, argv); }

由代码可以看出，在调用函数invokeStaticMain 的最后会抛出一个异常。

   

[c-sharp] view plaincopyprint?

1. public static class MethodAndArgsCaller extends Exception implements Runnable   

public static class MethodAndArgsCaller extends Exception implements Runnable

回过头再看一下 ZygoteInit 类的 main 函数中的一段代码

[c-sharp] view plaincopyprint?

1. } catch (MethodAndArgsCaller caller) {   
2.   
3.     caller.run();   
4.   
5. }   

} catch (MethodAndArgsCaller caller) { caller.run(); }

其实就是在这个抛出的异常中启动了 SystemServer 类，且这个异常为一个 Runnable 类型，因此 SystemServer 类就运行在 system_server 进程中的一个新的线程里。

2.SystemServer 执行内容

1. 执行 frameworks/base/cmds/system_server/library/system_init.cpp 中的 system_init 函数，启动当前进程，也就是进程 system_server 的 pool thread ，以便执行 Binder IPC 操作。

2. 向 SM(Service Manager) 添加系统服务。

作者QQ 240136495

http://www.cstechcn.com网络安全